If you've written your first iRule, you've most likely used the log command to check your iRule logic or reflect the status of the connections running through it.  Recent updates to the log command make it even more useful by providing direct support within iRules for selective remote syslogging.

Remote Log Server Support

In LTM 9.4.0, the log command was enhanced to provide the ability to send messages to a remote server. You can also optionally specify the remote port if you want messages to be sent to other than the default remote syslog port (514). If you specify a remote log server address, you must at least also specify the log facility.

This discretionary remote log server support is extremely useful if you want specific iRule activity logged to a remote location, but still want to retain your existing global syslog-ng configuration.

Rule Name Suppression

By default, every BIG-IP log message looks something like the sample below:

Apr  8 04:20:42 tmm tmm[1595]: 01220002:6: Rule : Log me, baby

The “-noname” option was added in LTM 9.4.2 to allow suppression of any "Rule : <rulename> <event>" string that may be prefixed  to the message by LTM.  Its intended use was for remote logging, but it works locally as well.  If you include the "-noname" option, you must at least also specify the log facility.

Examples

Here is the recommended basic log command syntax for local logging to the default log level (specifying the facility ensures all activities will be logged as unique events.  local0 is the default facility for LTM logging):

log local0. "Log me one time"

  The resulting output looks like this:

Apr  8 04:20:42 tmm tmm[1595]: Rule : Log me one time


This example uses the "-noname" option to log locally while suppressing the "iRule :" string prefixing the message text.

  log -noname local0. "I could not speak"

with this result:

Apr  8 04:20:42 tmm tmm[1595]: I could not speak


Use this syntax to specify a remote syslog server on the default port, facility & level:

  log 192.168.0.1 local0. "Log me 2x, girl"

The message with the "Rule : " prefix will be sent to the remote server:

  Rule : Log me 2x, girl


This syntax will log to the syslog service at 192.168.1.11 on port 5514, suppressing the "Rule : " prefix:

log -noname 192.168.0.1:5514 local0. "Log me all thru the week"

The message, this time without the "Rule : " prefix, will be sent to the remote server on the specified port:

  Log me all thru the week


You can still specify the log level in addition to the facility as in previous versions:

  log 192.168.0.1:514 local0.warning "Log me 2x"

and the message format remains unchanged (may be filtered differently though):

Rule : Log me 2x


And finally you can combine all 3 to send messages to a remote server on an alternate port, specifying a new log facility and level, and suppressing the iRule name output:

  log -noname 192.168.0.1:5514 local3.warning "I'm goin' away"

This message will be sent to 192.168.0.1:5514 on local3.warning:

I'm goin' away


More on logging with iRules…

Full details of the “log” command can be found in the iRules wiki: https://devcentral.f5.com/wiki/default.aspx/iRules/log.html

Joe’s iRule Debugging article: iRules 101 #09 - Debugging

Need more extensive or global syslog configuration changes in LTM 9.4.2 & above? Check this: LTM 9.4.2+: Custom Syslog Configuration


Get the Flash Player to see this player.